Redirect DNS traffic with NAT rules

With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

I have configured a NAT rules like this, but still devices like Alexa still call directly to 8.8.8.8 bypassing the NAT rule and my DNS server.

Why the v17.5 it wasn't possible but I'm wondering if it's possible now the new NAT options.

This is what I have configured as a NAT rule but doesn't work

 

Possible solution

I believe the issue is your pihole is also getting caught in this rule: it tries to perform a DNS request, gets its own traffic destination DNAT'ed to itself, and fails to lookup (or performs a loop). Unfortunately there is not a "exception" original source for the DNAT rule. I just resolved this issue by having my pihole have a dedicated interface (a VLAN subinterface), and have the inbound interface be everything except the interface of the pihole.

I don't have "post reply" permissions for some reason, so I could not post a comment/reply to the issue thread.



h
[edited by: l0rdraiden at 11:59 AM (GMT -8) on 28 Nov 2020]
  • I have this configured and working on my XGv18.  Here are my settings:

    In my case, I'm redirecting all DNS IPv4 to the Sophos box since it is acting as my DNS server.  Usage is over 3700 for the past few days.

  • Is this NAT rule actually needed??  Surely its the same as v17.5 in v18 isnt it, as long as you enable the DNS service on the LAN Zone under Administration - device access your XG will act as the DNS resolver again right??  This NAT redirect is valid if another IP other than XG itself is your DNS forwarder though but i dont have to set anything to use my own XG v18 as my LAN Zones or whatever Zones DNS forwarder?  

    Correct me if im wrong though but personally i only need the DNS on my Device access enabled on my LAN Zone rather than having to use NAT rules again?

    JK

  • john_kenny said:

    Is this NAT rule actually needed??  Surely its the same as v17.5 in v18 isnt it, as long as you enable the DNS service on the LAN Zone under Administration - device access your XG will act as the DNS resolver again right??  This NAT redirect is valid if another IP other than XG itself is your DNS forwarder though but i dont have to set anything to use my own XG v18 as my LAN Zones or whatever Zones DNS forwarder?  

    Correct me if im wrong though but personally i only need the DNS on my Device access enabled on my LAN Zone rather than having to use NAT rules again?

    I don't think that's how the Local Service ACL works (under Administration -> Device Access). My understand is by checking 'DNS' for the 'LAN' zone, it's simply saying devices on the LAN zone can access the DNS port (53) on the Sophos XG device itself, not that your clients will use Sophos XG as their DNS.

    To specify the DNS server clients will use, it can be configured via the DHCP server where you specify the DNS server that will be assigned, but some clients will still use their own DNS so the NAT rule forces them to use whatever you specify.

    Edit: Sort of unrelated but that actually reminds me, I don't need to set the upstream DNS server in my PiHole to Sophos XG anymore since it appears pharming protection in v18 doesn't exist (I think it was something to do with DPI engine). Previously, I was assigning my PiHole as the DNS via the DHCP server. Within my PiHole settings, I had set the upstream DNS server to Sophos XG to take advantage of pharming protection which required me to have 'DNS' checked in the Local Services ACL for the 'LAN' zone since my PiHole would need to be able to access the Sophos XG DNS server. However, now that I've just set the upstream DNS server to something else (e.g. CloudFlare), I can uncheck 'DNS' in Local Services ACL and everything still works fine.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • I forgot the DHCP part but yeah DHCP will give out your XG's IP if you set DHCP's DNS as XG's IP and the DNS in device access is what allows that zone to use XG as a forwarder...  Thats how mines been setup since V15.

    Also if needed add a block rule for port 53 from LAN to WAN so no other devices can use any other DNS forwarder other than your XG itself or Block IPs of any IPs other than your specified IP of said device acting as your DNS forwarder then you wont get devices trying to use 8.8.8.8.  That is something ive found to help to prevent device DNS attempts block rules! Blocks or just dont add any rules that allow LAN to WAN dst port 53!!

    But yeah you are right it depends if you are going to use XG as your only DNS forwarder or if you want to have another device act as one instead, then NAT redirects are needed aswell as setting the Devices IP in DHCP as you mentioned.

    Im still waiting for the EAP of v18 with DoT or DoH feature built into the DNS forwarder feature, that is one feature im eagarly awaiting.  Yeah the DNS forwarder feature has been perfect for use as an edge DNS forwarder like mentioned earlier using DHCP & DNS & Device access settings along with a DNS block rule to prevent no other device than xg itself to do your DNS lookups / forwarding.  But as soon as Sophos add DOT or DOH to that too it will be icing on the cake! I just want my XG to do all this sort of stuff on my LAN so i dont need to use another device to do fuctions XG still cant yet!  Pihole ive not tried but i have looked at Adguard Home which does DOT & DOH now aswell as the usual filtering but XG can do that itself by loading filters into XGs web catagories and then add those into your web policies and you get filtering via the lists used in Adguard or Pihole etc....

    See this users brilliant Github page with converted filters that are made to go into XGs web catagories

    https://github.com/austinheap/sophos-xg-block-lists

    FYI the http links for some reason are broken but copy the https links and just paste the url into an XG web catogory but http not https and it works fine!!

    JK

  • john_kenny said:

    Is this NAT rule actually needed??  Surely its the same as v17.5 in v18 isnt it, as long as you enable the DNS service on the LAN Zone under Administration - device access your XG will act as the DNS resolver again right??  This NAT redirect is valid if another IP other than XG itself is your DNS forwarder though but i dont have to set anything to use my own XG v18 as my LAN Zones or whatever Zones DNS forwarder?  

    Correct me if im wrong though but personally i only need the DNS on my Device access enabled on my LAN Zone rather than having to use NAT rules again?

     

    I use this rule all the time. Its not needed for your regular PCs and devices that obey the DHCP or other methods of specifying DNS servers but some IoT devices and Roku etc have hard coded dns settings and they bypass XG and directly talk to the DNS servers if the firewall rules permit. I don't like that and wanted to stop this behavior. 

    I haven't used XG since v16.5xx so I am not certain but previously, you could not NAT to XG IP address. You could NAT it to a separate DNS server but not to XG itself. This is something new in v18. Also Notice zone ANY destination WAN in interface matching criteria in   post above. That is important and it only redirects DNS traffic that is directly trying to go to WAN and doesn't mess with the traffic that was going directly to XG anyway. If you put ANY ANY in interface matching criteria, it will still work but will also catch traffic that is direclty going to XG using NAT unnecessarily.

    Regards 

  • NAT in V18 has certainly thrown me for a loop! lol, Still trying to keep up with v18 EAP's Great additions but i will get there! lol.

    Weve now got hairpin or loopback NATing! With v18's NATing we have many new ways of bending or rewriting / routing traffic in anyway needed.

    JK

  • l0rdraiden said:

    With the new NAT rules I want to redirect all DNS traffic in my network to a DNS server no matter what DNS settings has each device.

    I have configured a NAT rules like this, but still devices like Alexa still call directly to 8.8.8.8 bypassing the NAT rule and my DNS server.

    Why the v17.5 it wasn't possible but I'm wondering if it's possible now the new NAT options.

    This is what I have configured as a NAT rule but doesn't work

     

     

    This rule will work if you MASQ the translated source. If you want pretty pihole graphs, then use your rule otherwise use the rule that  posted and then point your XG to your pihole in DNS settings under configure network->DNS. 

    Regards

  • So why do you say my rule it will work if I MASQ the traslated source?

    My rule doesn't work and I would like to have the detail in pihole from which original IP the request is comming.

    If I use what casual_user did all the request will come from XG to my Pihole.

     

    So, it is possible to do what I am trying to do?, I have it configure but I don't see the requests in pihole, and Sophos logs are empty which is a bad joke considering this is an enterprise grade firewall.

  • Ok, you probably have your Pi-Hole in your LAN network. I was assuming it was in WAN network since sophos is not my edge firewall in the lab and my pi-hole is WAN for my setup... The difference being I already have a firewall rule to allow traffic to WAN... no big deal. Since you are masquerading traffic with NAT rule you have to setup a firewall rule to allow that traffic back into LAN

    Here are the steps

    1 Create a firewall allow src zone lan destination zone lan service DNS 

    Then use your pihole NAT rule with MASQ

  • Unless you’re running different subnets within a LAN zone, I’m not sure what the purpose of a LAN to LAN firewall rule is. MASQ shouldn’t be required either.

    I’m pretty sure the op is just running a typical setup with PiHole in the same subnet as his devices. No idea why the rule the op posted doesn’t work. Perhaps try setting the interface matching to Any? It could very well be an issue with v18.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/